I like to MOVEit, MOVEit - UPDATE
July 13, 2023 - Update
July 4, 2023 - Update
The current victim list is massive and growing, and Clop continues to share new entries every day, which begs the question, how many companies have actually been affected by this attack? Some victims have publicly announced their involvement in the breach, other have simply been named by Clop themselves. We’ll be following this attack closely and updating this blog with new information as the story unfolds.
Let’s take a look at the 124 victims that have been announced as of July 4, 2023, 9:33CDT:
University of Rochester, based in Rochester, New York
Zellis, UK based software development company
BORN Ontario, healthcare organization in Canada
Extreme Networks, US based software development company
Synlab, French medical diagnostic service provider
Government?of Illinois
HSE, public health service in Ireland
Landal Greenparks, European holiday facilities
Ofcom, UK’s media watchdog
Ernst & Young (EY), global accountancy firm
Transport for London (TfL), UK government body
Prudential Assurance Malaysia Berhad (PAMB), Malaysian insurance company
Prudential BSN Takaful Berhad (PruBSN), Malaysian takaful company
1st?Source Bank, Michigan based bank
Datasite LLC, US based SaaS provider
First National Bankers Bank, US based bank services provider
GreenShield Canada, a non-profit benefits carrier
Heidelberger Druckmaschinen, German precision engineering company
Leggett and Platt, US based manufacturing firm
National Student Clearinghouse, US based educational not for profit organization
OKK, insurance company based in Switzerland
Putnam Investments, US based investment management firm
United HealthCare Services, US based health insurance firm
Shell, British multinational gas company
University of Georgia, based in Athens, Georgia
John Hopkins University and Health System, based in Baltimore, Maryland
HealthEquity, US based financial technology and business services provider
CU*Answers, US based software company
NavAXX S.A., Luxembourg based financial services company
Delaware Life, US based insurance company
Fiduciary Outsourcing, US based fiduciary retirement plan administration provider
Enzo Biochem, US based medical diagnostics firm
CareServices LLC, US based healthcare services provider
Genericon Pharma, Pharmaceutical company based in Austria
Brault, US based technology firm
A + Federal Credit Union, Texas based Credit Union
Bar Harbor Bank, US based bank
Power Financial Credit Union, South Florida based Credit Union
East West Bank, US based bank
Oak Ridge Associated Universities, based in Oak Ridge, Tennessee
Marti Group, Swiss contracting company
PRA Group, US based debt collection agency
Umpqua Bank, US based bank
University of Missouri, based in Columbia, Missouri
IC System, US based debt collection services
ARBURG, European plastics manufacturer
Boston Globe, US daily newspaper
China CITIC Bank, commercial banking company
STIWA Group, Austrian manufacturing company
Cegedim SA, French technology company
Aon, global insurance company
Nuance Communications, US based software company
Pan American Life Insurance Group, US based insurance organization
Gesa, Washington based Credit Union
Telos, US based Information Technology company
Santa Clara University, based in California
Skillsoft, US based educational technology company
Cree Lighting, US-based LED lighting manufacturer
Gen Digital, the parent company of cybersecurity brands Avast, Avira, Norton and LifeLock
Stockman Bank, Montana based community bank
Baesman, US based marketing services provider
EMSS Inc, Hawaii based IT services and IT consulting organization
CBE, construction company based in Australia
Zurich Insurance Brazil
领英推荐
PricewaterhouseCoopers (PWC), global accounting firm.
MS Amlin, UK based insurance operator
GUS Canada, a network of higher education institutions in Canada.
Schneider Electric, UK based energy equipment and solutions provider
Siemens Energy, energy development company based in Germany
Werum, a solution owned by Koerber Pharma
UCLA, based in Los Angeles California
AbbVie, US based pharmaceutical company.
Wilton Reassurance Company, US based life insurance agency
Proskauer, multinational law firm
Kirkland & Ellis, multinational law firm.
Kotak Life, life insurance company based in India
Starmount Life, US based life insurance company
Jackson National, US based retirement planning company
CareSource, Ohio based not for profit organization
Sapiens International, computer software company based in Israel
Enstar Group, insurance company based in Bermuda
Cognizant, multinational IT services and consulting company
Delta Dental, American network of dental insurance companies
CPIAI, Texas based insurance company
Darling Consulting Group, US based financial advisor
K&L Gates, US based law firm.
Region of Queens Municipality, Canada
IWK Health Centre, based in Halifax, Nova Scotia.
Metro Vancouver Transit Police
AOK, an association of statutory health insurers based in Germany
Verivox, German comparison-shopping website
Barmer, Berlin based health insurance company.
Verlagsgesellschaft Vogelsberg GmbH & Co, Germany based publishing company.
Encore Capital Group, US based financial services company
TrellisWare Technologies, US based telecommunications company
Hornbeck Offshore, US based maritime transport company
FIS Global, multinational financial services organization
Iron Bow Technologies, software company based in Virginia
Vericast, Texas based advertising services agency
Sovos, US based software development company
The Harrington Group, not for profit organization based in Minnesota
City National Bank of Florida
Clicks Group, South Africa based health retailer.
Allegiant Air, US based airline
Rhenus Group, German logistics company
Digital Insight, US based software provider.
Kirkland and Ellis LLP, multinational law firm
?
June 16, 2023 - Original Article
If you woke up to the news this morning, June 16, 2023, you would have heard of the massive cyberattack that is evolving and engulfing the globe:
Is this part of a nation-state event? Time will soon tell. In today’s blog, I will attempt to unfold what I believe are the mechanics behind this cyberattack.
In today's interconnected world, businesses face numerous cybersecurity threats that can compromise their sensitive files during transit. However, a renowned software called MOVEit has emerged as a trusted solution, offering an impenetrable fortress to safeguard confidential data. Despite its reputation, recent events have shed light on the ever-evolving nature of digital threats and the need for constant vigilance. Let's delve into the details of the MOVEit Transfer cyberattack and the implications it holds for organizations worldwide.
The Unveiling of a Zero-Day Vulnerability: On May 31st, the cybersecurity community was rattled by the revelation of a zero-day vulnerability exploit in MOVEit Transfer, a file transfer product developed by Ipswitch, a subsidiary of Progress. What made this discovery even more alarming was the fact that this vulnerability had been lurking for over two years, exposing organizations to potential risks. Exploiting this weakness was a notorious Russian-linked ransomware group known as CLOP Ransomware.
The Long-Term Exploitation Efforts: Kroll Threat Intelligence research suggests that CLOP Ransomware began experimenting with the MOVEit vulnerability as early as July 2021, seeking ways to monetize their exploit. Initially, their activities were primarily manual, involving testing access to vulnerable MOVEit Transfer clients and gathering information to identify the organizations using the software. However, by April 2022, the threat actors had adopted an automated mechanism to probe multiple organizations simultaneously and collect valuable data from them.
The Extraction of Crucial Information: Before the mass exploitation began, the attackers conducted their last round of testing activities in May. Their objective was to extract the unique "Org ID" identifier associated with each MOVEit Transfer user. This information would have enabled the attackers to categorize the organizations they could potentially access. Disturbingly, as of June 2, 2023, a Shodan query revealed that there were 2,526 publicly accessible instances of MOVEit Transfer that could potentially be vulnerable.
Organizations Caught in the Crosshairs: As the scope of the MOVEit Transfer cyberattack unfolds, Brett Callow, a cyber threat analyst with Emsisoft, indicated that there were 47 confirmed victims so far, "plus a number of as yet unidentified U.S. government agencies." He added that CLOP claimed "hundreds of organizations have been impacted. The sectors predominantly affected include government, financial services, healthcare, pharmaceuticals, and technology.
Prominent Victims and the Fallout: The victims of the MOVEit Transfer cyberattack span various industries and include renowned names such as 1st Source, First National Bankers Bank, Putnam Investments, Landal Greenparks, and Shell. Additionally, educational institutions like the University System of Georgia and prestigious companies like BBC, Aer Lingus, and British Airways also found themselves on the list of targets. And, as we have seen on today’s news, government agencies at both the local and federal levels.
The Aftermath: The repercussions of this cyberattack are far-reaching. Companies like Datasite, United Healthcare, Leggett & Platt, ?KK, and Zellis, a provider of HR and payroll software, have confirmed the compromise of their MOVEit systems. Moreover, the Government of Nova Scotia acknowledged the impact on their file-sharing infrastructure, potentially putting citizens' personal information at risk.
Continuing Fallout and Lessons Learned: As the investigation into the MOVEit Transfer cyberattack progresses, more organizations are expected to come forward as victims. The incidents at Johns Hopkins University and Ofcom serve as glaring examples of the potential damage caused by this breach. The attackers gained access to sensitive personal and financial information, demonstrating the severity of the situation.
Conclusion: The MOVEit Transfer cyberattack serves as a stark reminder that even the strongest fortresses can face unexpected disruption. The inevitability of a cyberattack on an organization can no longer be ignored. Who knows how far reaching this ransomware event will go. One thing is for certain, it’s not if but when. Bad actors like CLOP Ransomware will continue down this criminal path for a payday.
To ensure a Positive Outcome:?Every organization should have a fortified bunker to protect their critical and sensitive data from the ever-evolving tactics of sophisticated hackers like CLOP Ransomware. This bunker takes the form of an offline, physically isolated, and immutable data copy, continuously monitored by an intelligent analytics engine. This proactive approach enables us to swiftly detect and respond to any signs of compromise, safeguarding our valuable assets.
When it comes to choosing a solution, it's important not to settle for a generic or checkbox approach. According to?Gartner, the highest level of security and recovery against insider threats, ransomware, and hacking are provided by Isolated Recovery Environments (IREs) with?Immutable Data Vaults (IDVs). Dell's PowerProtect Cyber Recovery is specifically recognized by Gartner for offering IREs with IDVs. While other vendors may offer alternatives, it is crucial to consider whether their solutions truly ensure your ability to resume business operations after a sophisticated attack.
I say this time and again, organizations should never underestimate the power of preparedness and take a proactive stance against the threats that loom in today’s digital realm.
Senior Sales Manager at Palo Alto Networks | Technology Sales & Business Development Leader | 4x Presidents Club | Data Center Infrastructure | Cloud | SaaS | Cybersecurity | Digital Transformation
1 年I read Ron Netherland post to the beat of "I like to move it move it..." good content as always Ron!
Helping Enterprises with Cloud, Digital, IT, Workforce and Security
1 年I think a few people will definitely be MOVE-ing-it now Ron !
Advisory Field CTO, Cyber Resilience & Compliance
1 年https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-158a